WO 2004/056036 



PCT7IB2003/005508 



CLAIMS: 

1 . An apparatus for performing a SubByte function of the Rijndael Block Cipher, 
comprising: 

an S-box constructed by composing a first and second transformation, 
5 wherein the first transformation is a look-up table (300), and the second transformation is an 
affine-all transformation that performs both an affine and inverse affine transformation. 

2. The apparatus as claimed in claim 1, wherein: 

the look-up table (300) is the multiplicative inverse in the finite field GF(2 8 ) having 
{00} mapped to itself; and 

1 0 the affine-all transformation is implemented using a combinational logic circuit 

(400). 

3. The apparatus as claimed in claim 2, wherein: 

the look-up table (300) is implemented by a read-only memory (ROM); and 
the combinational logic circuit (400) implements the equations 
1 5 b' 0 ==[(b 0 £ p 0 )p(b, £ p,)p(b 2 £ p 2 )p(b 3 £ p 3 )p(b 4 £ p 4 )p(b 5 £ p 5 )p(b 6 £ p 6 )p(b 7 = p 7 )]pv 0 

b' H(b 0 = p 7 )p(b, £ Po )p(b 2 £ P i)p(b 3 £ p 2 )p(b 4 £ p 3 )p(b 5 £ P4)p(b 6 £ P5 )p(b 7 £ P6 )]pv, 
b' 2 -[(b 0 £ p 6 )p(b, £ P7)p(b2 £ Po )p(b 3 £ P i)p(b 4 £ p 2 )p(b 5 £ p 3 )p(b 6 £ p 4 )p(b 7 £ p 5 )]pv 2 

b' 3 =[(b 0 £ p 5 )p(b, £ p^pOa s p 7 )p(b 3 = Po )p(b 4 = p,)p(b 5 £ p 2 )p(b 6 £ p3)p(b 7 s p 4 )]pv 3 

b' 4 =[(b 0 £ p 4 )p(bj £ p 5 )p(b2 £ p 6 )p(b 3 £ p 7 ) P (b 4 £ p 0 )p(b 5 £ P i)p(b 6 £ p 2 )p(b 7 £ p 3 )] P V 4 
20 b' 5 =[(bo £ p 3 )p(bj = P4 )p(b2 £ Ps )p(b 3 £ P6 )p(b 4 = P7 )p(b 5 £ P0 )p(b 6 £ p,)p(b 7 £ p^pvs 
b' 6 =[(b 0 £ P2 )p(b! £ p 3 )p(b2 £ P4 ) P (b 3 £ P5 )p(b 4 £ p 6 ) P (b 5 £ P7)p(b 6 £ p 0 )p(b7 £ P ,)]pV 6 
b'7=[(b 0 £ p,)p(b, £ P2)p(b2 £ P3 )p(b 3 £ P4 )p(b 4 £ p s )p(b 5 £ p 6 )p(b 6 £ P7)p(b 7 £ p 0 )]pV 7 

having p = popip 2 p 3 p 4 p 5 P6P7 as a load pattern consisting of {10001 1 1 1 } for the affine 
25 transformation and {00100101 } for the inverse affine transformation and having v as a load 
vector = VoViv 2 v 3 v 4 v 5 v 6 v 7 consisting of {1 10001 10} for the affine transformation and 
{10100000} for the inverse affine transformation. 

4. An apparatus for encrypting and decrypting data, comprising: 
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a data processing module arranged to perform a byte substitution, wherein at least 
part of said data processing module comprises: 
a look-up table (300), 

a storage device for storing the look-up table, and 
5 a circuit (400) having shared logic that performs a single transform that accomplishes 

either an affine and an inverse affine transformation. 

5. The apparatus as claimed in claim 4 wherein said look-up table (300) is a 
multiplicative inverse of the finite field GF(2 8 ). 

6. The apparatus as claimed in claim 5, wherein said look-up table (300) is implemented 
1 0 by means of a read only memory (ROM). 

7. The apparatus as claimed in claim 4, wherein said look-up table (300) is implemented 
by means of a read only memory (ROM). 

8. The apparatus as claimed in claim 4, wherein the apparatus comprises a plurality of 
instances of a data processing module arranged in a data processing pipeline. 

15 9. The apparatus as claimed in claim 4, wherein the apparatus is arranged to perform 

encryption or decryption in accordance with the Rijndael Block Cipher, and wherein the data 
processing module is arranged to implement a Rijndael round. 

10. An apparatus as claimed in claim 9, wherein the data processing module is arranged 
to implement the SubByte transformation of the Rijndael round using the look-up table 

20 composed with the affine transformation for encryption and the inverse affine transformation 
for decryption. 

1 1 . The apparatus as claimed in claim 10, wherein said look-up table (300) is 
implemented by means of a read only memory (ROM). 

12. A apparatus for performing a SubByte function of a round of the Rijndael Block 
25 Cipher, comprising an S-box constructed by composing, 

means for obtaining the multiplicative inverse in the finite field GF(2 8 ), and 
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means for performing an affine-all transformation consisting of an affine and inverse 
affine transformation as a single affine transformation. 

1 3. The apparatus as claimed in claim 12, wherein said means for obtaining the 
multiplicative inverse is a look-up table (300), and said means for performing the affine-all 

5 transformation is a combinational logic circuit (400). 

14. A method for performing a SubByte function of a Rijndael round of the Rijndael 
Block Cipher, comprising the steps of: 

creating a look-up table (300) for the multiplicative inverse in the finite field 

GF(2 8 ); 

10 providing an affine-all transformation consisting of an affine and inverse affine 

transformation in a single affine transformation; 

composing an S-box constructed of the look-up table (300) and the affine-all 
transformation; and 

^ performing a non-linear byte substitution using the composed S-box. 

15. The method of claim 14, wherein the providing step further comprises the step of 
providing a shared logic circuit (400) that performs the single affine transformation. 

16. The method of claim 14, further comprising the step of storing the look-up table 
20 (300) in a read-only memory (ROM). 

17. The method of claim 16, wherein the providing step further comprises the step of 
implementing a shared logic circuit (400) that performs the single affine transformation. 

18. The method of claim 14, wherein: 

the look-up table (300) is the multiplicative inverse in the finite field GF(2 8 ) having 
25 {00} mapped to itself; and 

the providing step further comprises the step of implementing a combinational logic 
circuit (400) that performs the single affine transfonnation (400). 
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